On Thu, Jul 09, 2026 at 10:52:04PM +0000, [email protected] wrote:
> > commit 96cce16e26dd02a8678f1e87f88a4b5cdb63b995 upstream.
> > The BPF JIT allocator packs many small programs into larger executable
> > allocations and reuses space within those allocations as programs are
> > loaded and freed. When fresh code is written into space that a previous
> > program occupied, an indirect jump into the new program can reuse a branch
> > prediction left behind by the old one.
> > Flush the indirect branch predictors before reusing JIT memory so that
> > indirect jumps into a newly written program don't reuse predictions from an
> > old program that occupied the same space.
> > Introduce bpf_arch_pred_flush_enabled static key and bpf_arch_pred_flush
> > static call for flushing the branch predictors on JIT memory reuse.
> > Architectures that need a flush, can update it to a predictor flush
> > function. By default, its a NOP and does not emit any CALL.
> > Allocations larger than a pack are not covered by this flush. That is safe
> > because cBPF programs (the unprivileged attack surface) are bounded well
> > below a pack size. Issue a warning if this assumption is ever violated
> > while the flush is active.
> > Signed-off-by: Pawan Gupta <[email protected]>
> > Acked-by: Daniel Borkmann <[email protected]>
> > Signed-off-by: Daniel Borkmann <[email protected]>
> 
> The reuse path this patch hardens (bpf_prog_pack_alloc() finding a free
> area within a pack, and the size > BPF_PROG_PACK_SIZE branch) comes from
> the pack allocator that first packed many programs into shared executable
> allocations and reused freed space within a pack.
> 
> Should this carry a Fixes: tag pointing at that commit?
> 
>   Fixes: 57631054fae6 ("bpf: Introduce bpf_prog_pack allocator")

It doesn't add much value. This commit insn't really buggy, it needs no fix
for the eBPF. The fact that cBPF is unprivileged, opens a window for a JIT
spraying attack. Also, the the patch is a backport, so it should stay close
to upstream.

Reply via email to